{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock",
    "id" : "2461501",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461501"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-413",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock\nTake and hold kvm->lock for before checking sev_guest() in\nsev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock\nis held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't\nrollack state).  If KVM_SEV_INIT{2} fails, KVM can end up trying to add to\na not-yet-initialized sev->regions_list, e.g. triggering a #GP\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G     U  W  O        6.16.0-smp-DEV #1 NONE\nTainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\nHardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\nRIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83\nCode: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00\nRSP: 0018:ffff88838647fbb8 EFLAGS: 00010256\nRAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000\nRBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000\nR10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000\nR13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000\nFS:  00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0\nCall Trace:\n<TASK>\nkvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371\nkvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363\n__se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51\ndo_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f34e9f7e9a9\nCode: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9\nRDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007\nRBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8\n</TASK>\nwith a syzlang reproducer that looks like:\nsyz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async)\nsyz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB=\"...\"], 0x4f}) (async)\nr0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)\nr1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)\nr2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)\nr3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)\nioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async)\nioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async)\nioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async)\nr4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)\nopenat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)\nioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async)\nr5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)\nclose(r0) (async)\nopenat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async)\nioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async)\nioctl$KVM_RUN(r5, 0xae80, 0x0)\nOpportunistically use guard() to avoid having to define a new error label\nand goto usage.", "A flaw was found in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. A local user could exploit a concurrency issue by failing to properly protect the `sev_mem_enc_register_region()` function with the `kvm->lock`. This can lead to an unstable state if KVM initialization fails, resulting in a general protection fault and a null-pointer dereference. The most important consequence is a denial of service, causing the system to crash." ],
  "statement" : "`sev_mem_enc_register_region()` is now fully serialized with `kvm->lock`, closing races in SEV memory region registration. Red Hat recommends patched KVM kernels for SEV deployments.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31592\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31592\nhttps://lore.kernel.org/linux-cve-announce/2026042415-CVE-2026-31592-954a@gregkh/T" ],
  "name" : "CVE-2026-31592",
  "csaw" : false
}